MDM: From Nice to Have to Necessity

9d350fa2294e1192f8f12b0ebf1a1d8b?s=47 Jamf
November 13, 2019
26

MDM: From Nice to Have to Necessity

9d350fa2294e1192f8f12b0ebf1a1d8b?s=128

Jamf

November 13, 2019
Tweet

Transcript

  1. © JAMF Software, LLC MDM: From ‘Nice to Have’ to

    Necessity 2:45 - 3:30 PM UP NEXT
  2. Rich Trouton • 20 years of Mac system support experience

    • Generally can be found drinking a Diet Coke • Has been known to write things down • @rtrouton on Twitter and Slack
  3. MDM: From "Nice to Have" To Necessity

  4. What is MDM?

  5. • API for sending device management commands • For iOS,

    usable on iOS 4.x and later. • For macOS, usable on 10.7.x and later. • For tvOS, usable on tvOS 10.x and later. • Not all MDM commands are backwards-compatible
  6. Why use it?

  7. Which things are only possible when using MDM? • DEP-enabled

    setup • Remote wipe • App distribution using VPP • UAMDM-based management
  8. How does MDM management work? • Apple's push notification services

    (APNS) • Mobile device management (MDM) server
  9. None
  10.  http://init-p01st.push.apple.com/bag

  11. None
  12.  APNS

  13.  APNS

  14. None
  15.  APNS

  16.  APNS

  17.  APNS

  18. 1

  19. https://support.apple.com/HT203609

  20. None
  21. • APNS never needs an inbound network connection on your

    network. • Only outbound connections from your network to Apple’s network (17.0.0.0 / 8) are needed for APNS. • APNS never makes unsolicited connections. • APNS uses TLS 1.2 • APNS authenticates all transactions with device tokens and payload tokens, and validates all SSL certificates.
  22. https://twocanoes.com/products/mac/push-diagnostics/

  23. https://twocanoes.com/products/mac/push-diagnostics/

  24. https://www.youtube.com/watch?v=Z-Lg9uBbmfk A Push Odyssey: Journey to the Center of APNS:

  25. What’s an MDM server? 1. HTTPS server 2. Needs to

    be able to respond with both of the following: • HTTP 200 OK • A plist in XML format which contains a command.
  26. Perpetual plist passing

  27. Perpetual plist passing

  28. MDM Server Certificates • APNS Vendor Certificate • APNS Push

    Certificate
  29. MDM Server Certificates • APNS Vendor Certificate • Used to

    sign APNS push certificate’s certificate requests (CSRs)
  30. None
  31. None
  32. None
  33. None
  34. MDM Server Certificates • APNS Push Certificate • Used by

    MDM server to communicate with APNS
  35. https://identity.apple.com

  36. https://identity.apple.com

  37. APNS Apple ID Do’s and Don’ts Do: •Have an Apple

    ID dedicated just to creating your APNS certificate. •Have multiple Apple IDs for your APNS certificates if you have more than one MDM server . •Have the Apple ID(s) documented.
  38. APNS Apple ID Do’s and Don’ts Don’t: •Use a personal

    Apple ID. •Use an Apple ID tied to your specific work email address. •Lose the password to your Apple ID(s).
  39. None
  40. None
  41. None
  42. None
  43. None
  44. APNS push certificate

  45. APNS push certificate topic

  46. None
  47. None
  48. None
  49. None
  50. None
  51.  APNS MDM

  52.  APNS MDM

  53. None
  54.  APNS MDM

  55.  APNS

  56.  APNS MDM

  57. APNS device token

  58.  APNS

  59. 1

  60. None
  61. MDM

  62. MDM

  63. MDM

  64.  APNS Topic Topic

  65.  APNS Topic + Device ID =

  66.  APNS

  67. MDM

  68. PushMagic

  69. MDM  APNS

  70. MDM  APNS

  71. MDM  APNS

  72. MDM  APNS

  73. MDM  APNS

  74. = "Hey you! Check in with your MDM server!”

  75. +Topic + = +

  76. None
  77. None
  78. None
  79. None
  80. OS X Mavericks Kernel extensions should be digitally signed using

    an Apple Developer ID for Signing Kexts certificate, but this code signing requirement is not enforced strictly. Unsigned kernel extensions can still be installed into /System/Library/ Extensions, which is where kernel extensions have been installed up until OS X Mavericks. However, signed kernel extensions must be installed into /Library/Extensions. OS X Yosemite Kernel extensions must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. However, it is still possible on OS X Yosemite to enable a kernel extension developer mode which disables the code signing requirement.
  81. OS X El Capitan Kernel extensions must be digitally signed

    using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection, introduced as part of OS X El Capitan, now enforces code signing and explicitly disables the kernel extension developer mode previously available in OS X Yosemite. macOS Sierra Kernel extensions must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection remains the enforcement mechanism.
  82. https://support.apple.com/HT207828

  83. None
  84. None
  85. None
  86. None
  87. MDM macOS 10.13.0 - 10.13.3

  88. macOS High Sierra 10.13.0 - 10.13.3 + MDM Kernel extensions

    must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection remains the enforcement mechanism.
  89. None
  90. UAMDM macOS 10.13.4 - Now

  91. None
  92. None
  93. None
  94. None
  95. None
  96. None
  97. None
  98. None
  99. None
  100. Device Enrollment Program (DEP)

  101. None
  102. None
  103. None
  104. = UAMDM automatically enabled

  105. Volume Purchase Program (VPP)

  106. None
  107. None
  108. None
  109. None
  110. None
  111. None
  112. None
  113. None
  114. None
  115. None
  116. None
  117. None
  118. None
  119. None
  120. None
  121. Managed Clients for Mac OS X

  122. None
  123. None
  124. Managed Clients for Mac OS X Managed User Control None,

    Never Unmanaged or never set User has full control of setting Once Preset with value from MCX User has full control of setting Often Reset with value from MCX at each login User has full control of setting, resets back to MCX-enforced setting at logout Always Forced from MCX User cannot control setting
  125. Mobile Device Management Managed User Control None, Never Unmanaged or

    never set User has full control of setting Once Preset with value from MCX User has full control of setting Often Reset with value from MCX at each login User has full control of setting, resets back to MCX-enforced setting at logout Always Forced from MCX User cannot control setting
  126. None
  127. None
  128. MDM ≠ Total Management MCX ≠ Total Management

  129. MDM ≠ Total Management Profile Can Do: Profile Cannot Do:

    SSH Nothing Turn SSH on and off Manage SSH configuration Sudo Nothing Manage access to the sudo tool Firewall Turn firewall on and off Enable stealth mode Block incoming connections Allow or block applications from connecting Set IP- or DNS-based firewall rules Application Access Whitelist application by code signature Blacklist application by code signature Directory Service Bind to Active Directory Bind to LDAP* *Can bind to Apple's Open Directory
  130. AppleScript Ruby JavaScript Perl Shell Python

  131. Script Can Do: SSH Turn SSH on and off Manage

    SSH configuration Sudo Manage access to the sudo tool Firewall Turn firewall on and off Enable stealth mode Block incoming connections Allow or block applications from connecting Set IP- or DNS-based firewall rules Directory Service Bind to Active Directory Bind to LDAP
  132. https://github.com/google/santa

  133. ?

  134. https://developer.apple.com/documentation/ devicemanagement/profile-specific_payload_keys

  135. https://derflounder.wordpress.com/2015/07/31/ gatekeeper-automatically-re-enables-after-30-days- on-yosemite-and-later/

  136. defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false

  137. None
  138. https://openradar.appspot.com/22094327

  139. Always Manage Manage Once

  140. Re-test for each OS

  141. None
  142. None
  143. None
  144. vs 1. See if you can use a profile. 2.

    If not, use a script. 3. Check back later to see if you can use a profile.
  145. Apple Mobile Device Management: https:// developer.apple.com/documentation/devicemanagement Apple Device Management documentation:

    https:// developer.apple.com/documentation/devicemanagement A Push Odyssey - Journey to the Center of APNS: https:// www.youtube.com/watch?v=Z-Lg9uBbmfk Getting MicroMDM working and working with MicroMDM: https://youtube.com/watch?v=WGKT-PyHz6I Useful Links Demystifying MDM: open source endeavours to manage Macs: https://youtube.com/watch?v=6DBGIDcBKFw
  146. Apple Mobile Device Management Profile-Specific Payload Keys: https://developer.apple.com/documentation/ devicemanagement/profile-specific_payload_keys Santa:

    https://github.com/google/santa Gatekeeper automatically re-enables after 30 days on Yosemite and later: https://derflounder.wordpress.com/ 2015/07/31/gatekeeper-automatically-re-enables-after-30- days-on-yosemite-and-later/ Useful Links
  147. Downloads PDF available from the following link: https://tinyurl.com/JNUC2019PDF Keynote slides

    available from the following link: https://tinyurl.com/JNUC2019Keynote
  148. © JAMF Software, LLC Thank you for Give us feedback

    by completing the 2- question session UP NEXT Offboarding in a Modern Workflow 4:00 PM